SCA: security update for com.mchange:mchange-commons-java (GHSA-m2cm-222f-qw44)

high Tenable Cloud Security Plugin ID 437980

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- mchange-commons-java, a library that provides Java utilities, includes code that mirrors early
implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by
which code can be downloaded and invoked within a running application. If an attacker can provoke an
application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke
the download and execution of malicious code. Implementations of this functionality within the JDK were
disabled by default behind a System property that defaults to `false`,
`com.sun.jndi.ldap.object.trustURLCodebase`. However, since mchange-commons-java includes an independent
implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that
implementation could be provoked to download and execute malicious code even after the JDK was hardened.
Mirroring the JDK patch, mchange-commons-java's JNDI functionality is gated by configuration parameters
that default to restrictive values starting in version 0.4.0. No known workarounds are available. Versions
prior to 0.4.0 should be avoided on application CLASSPATHs. (CVE-2026-27727)

See Also

https://github.com/advisories/GHSA-m2cm-222f-qw44

Plugin Details

Severity: High

ID: 437980

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 2/25/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 58.03

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-27727

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.9

Threat Score: 7.4

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/25/2026

Vulnerability Publication Date: 2/25/2026

Reference Information

CVE: CVE-2026-27727